Direct: dl.spbctf.com/BelkaDayUS_CTF_IMAGE.7z
Torrent: dl.spbctf.com/BelkaDayUS_CTF_IMAGE.7z.torrent
Archive password: CwMglC7pLRHSkIlwoSqA
Loading the image on Magnet we can observe that we have 7769 evidence to analyze. I have also adjusted the time zone to get accurate results on my findings.
What is the full name of the phone owner? Format: First Name Last Name.
Derek Hor
What is the phone number he reported to about drug delivery?
Downloading and opening the contacts2.db file on Visual Studio loads like the file is corrupt even though you will find the contact details
However, searching for the phone number on the Autopsy tool is very straightforward as the forensic tool is able to show the contact number.
+12395104974
What were the suspect’s delivery locations on the night of arrest?
Camelback Golf Club, 7847 N Mockingbird Ln, Scottsdale, AZ (33.5542226,-111.9340928)
2013 W Harwell Rd., Phoenix, AZ (33.374304,-112.1035501)
33°29'04.2"N 111°52'38.0"W (33.4845,-111.877215)
How long has the suspect been acting as a drug dealer?
303 days
From what Bitcoin wallet did he get paid the last time for his job?
Searching the Bitcoin addresses on the blockchain provides 3 results
113JqY3CqsQPT7EN6wj5tRAVKftEP9rQC
What is the phone number of the drug supplier?
1. After locating the Signal backup (manually) and the password (any SQLite viewer, this time you do not need WAL or freelist support), you can use an open source tool https://github.com/pajowu/signal-backup-decode as follows:
/root/.cargo/bin/signal-backup-decode --password '04049 19810 47697 72485 91554 88046' signal-2020-12-20-21-04-59.backup
- The tool creates an SQLite database with the extracted data. In the 'recipient' table we see two phone numbers: +13148346839 corresponding to profile name horatio0.42k (it's Derek Hor), and +14233767293 which is our target supplier
+14233767293
When was the last time the suspect met his supplier? Provide exact timestamp in a common format, e.g. 2021-07-17 17:07:07 UTC
This time we can use the Signal message history extracted. There we see that there was a meeting planned for Dec 17th at 2 PM, and the planned location was 33.508136, -112.148462
Alas, this was not the last meeting with the supplier. False lead! Well, almost...
If we look at the Calendar, we can find 33.508146, -112.148462 location for one of the events, for 2020-12-17 at 21:00:00 UTC (it is 2 pm Phoenix time)
4. Select this event and switch to the SQLite view of the Calendar. The title of the event is 'Pizza delivery':
Converted the epoch time format to UTCM Unix time online tool: https://www.epochconverter.com/
Sat, 10 Apr 2021 07:30:00 UTC
What is the supplier's phone IMEI identifier? Help yourself to the NSA metadata storage: cellrecordslookup.nsa.fyi
Sun, 28 Jun 2020 00:00:00 -0700 33°32'56.2"N 112°06'22.5"W
Wed, 02 Sep 2020 11:00:00 -0700 33°32'16.4"N 112°07'11.9"W
Thu, 17 Dec 2020 14:00:00 -0700 33.508146, -112.148462
Tue, 29 Dec 2020 14:00:00 -0700 33.528795, -112.071941
Tue, 16 Mar 2021 15:20:00 -0700 33.54730553325095 (bad location)
Sat, 10 Apr 2021 00:30:00 -0700 33.529455426023574, -112.0847381568517
For this task, we were given an 'NSA' tool that allows us to look up cellphone registration history. When we look at the tool, we see we need a latitude, longitude, and a date in (MST). Now we must enter the data. Take the data extracted from the Calendar automatically by Belkasoft X or manually by yourself
Feed every line into the lookup tool. You will get the output of the number of devices found with their IMEIs. Copy the list of IMEIs into an Excel spreadsheet. You can intersect all the lists by duplicate search (meaning that an IMEI was found in more than one location). Just two IMEIs will be common for all the locations, they are 350236009513272 and 332182208414842. One of those is Derek, the other is the supplier
Tools used: Magnet Axiom, epochconverter.com, VS code application, Autopsy, www.timeanddate.com/date, blockchair.com/bitcoin/outputs, cellrecordslookup.nsa.fyi
Resource